Export (0) Print
Expand All
Expand Minimize
4 out of 19 rated this helpful - Rate this topic

Accounts used by application pools or service identities are in the local machine Administrators group (SharePoint Foundation 2010)

SharePoint 2010

Published: August 11, 2011

Rule Name:  Accounts used by application pools or service identities are in the local machine Administrators group.

Summary:  A user account that is used by application pools or services must have permissions of a domain user account and must not be a member of the Farm Administrators group or a member of the Administrators group on the local computer. Using highly privileged accounts for application pools or services poses a security risk to the farm, and could allow malicious code to execute.

Cause:  Accounts that are used by application pools or services are members of the Administrators group on the local computer.

Resolution: Change the user account to a predefined account, or to a domain user account that is not a member of the Administrators group.

  1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

  2. On the Central Administration home page, in the Security section, click Configure service accounts.

  3. On the Service Accounts page, in the Select the component to update list, click the application pool or service that uses the credentials of a member of the Administrators group on the local computer as its security account.

  4. In the Select an account list, click an appropriate account for this component — for example, the predefined account Network Service — or click Register new managed account, and then on the Register Managed Account page, specify the credentials and the password change settings that you want.

  5. Click OK.

For more information, see Initial deployment administrative and service accounts (SharePoint Foundation 2010).

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.